Monitoring and Managing Services in the Cloud

By Brian Desmond

 Contents
Monitoring and Managing Services in the cloud ......................................................2 Monitoring Service availability ................3 Service Quality Monitoring......................3 Dynamic end-user Devices .....................4 Service Provisioning ................................4 auditing and reporting............................5 assessing the cloud .................................6

Monitoring and Managing Services in the Cloud

By Brian Desmond
the cloud presents many opportunities for organizations to expand service offerings, save money, and deliver increased service to their end users and customers. the rapid proliferation of cloud offerings has placed increasing pressure on it administrators as decision makers learn about the value of the cloud and look to move the organization to it. there are many key points important to making an educated decision about moving to the cloud, but one important point is monitoring and managing the cloud provider as well as the organizations connectivity, usually with the internet. the touch points for monitoring and managing a cloud provider will vary depending on whether youre using a cloud provider to host servers or to deliver a specific application; but, fundamentally, many of the touch points are the same. While many cloud services come with availability guarantees in the form of Service level agreements (Slas), it is less common to find accurate and readily accessible reporting from the service provider as to how they met their Slas in a given time period. likewise, while the cloud service may be available, if the organizations internet connectivity is not sufficient to sustain the quality and degree of connectivity required, the perceived availability of the cloud service may suffer substantially. on-premise services often take advantage of central authentication services (i.e., active Directory) and are also able to connect directly to human resources databases and identity management systems in order to obtain user information and receive provisioning and deprovisioning requests for user access in an automated fashion. When services move to the cloud, this information needs to be transmitted securely and only when it is deemed necessary and of a low enough risk that it can leave the organizations network. More importantly, end-user access needs to be provisioned and deprovisioned from cloud services in order to ensure timely access, reduce risk, and limit the amount of effort required by it administrators to manage the cloud service.

Monitoring anD Managing ServiceS in the clouD

Sponsored by Scriptlogic

as servers and applications move off premise into the cloud, security, auditing, and reporting requirements must still be maintained. When a service is delivered locally from an on-premises datacenter, it is often much easier to report on user access, collect audit trails, and generally satisfy regulatory compliance requirements. With cloud services, the entire security ecosystem is no longer under the organizations control so proper planning and tooling must be in place to collect the necessary security data for reporting, as well as monitor for breaches and compliance challenges. as end users supply their own mobile devices with increasing frequency, it is even more important to understand where data is being accessed and how in order to manage the risk of data loss.

web application might monitor the time it takes for the web server to return a response as well as ensure that the correct response is always returned. if an incorrect response (such as an httP 500 server error) is returned, then the monitoring tool should alert the service owner and other interested parties immediately. on the other hand, an email service will have numerous monitoring touch points. these touch points will likely include functionality such as message routing. that is, how long it takes for an email to travel between on-premises SMtP servers and the cloud service and to ensure that mail is being accepted at all times and not bounced due to an error. Depending on the type of email service in use, other services might include iMaP/PoP availability monitoring with a synthetic logon, or validating the availability and performance of the web mail interface. aside from basic alerting and monitoring, its important that the monitoring tool be able to provide metrics in an easy-to-read format that can be compared with the service providers Slas, as well as the organizations internal service level commitments. its also useful to periodically compare these metrics with any reporting the cloud provider might offer about its service, either at the application or server level. Service owners should review this data regularly to ensure that service levels are being met. For public cloud scenarios, the ability to independently approximate resource utilization metrics tied to billing will inevitably be of great use, also.

Monitoring Service Availability

any cloud service that is important to an organization should have a commercially backed Sla that includes penalties for the service provider in the event the Sla is breached. While some service providers will provide in-box reporting capabilities and dashboards, it is also prudent to validate these metrics, track availability against Slas, and alert on outages in a timely basis so that resources such as the help desk can be prepared to manage these situations. there are numerous components to the availability of any service whether its delivered as a service cloud, hosted on servers managed by the organization in a public or private cloud hosting scenario, or in an on-premises environment. every service is different, so its critical to cater the monitoring to the specifics of the server or service, as well as to select a service monitoring product that has native support for that class of service (e.g., email, web site). at a high level, any service will require monitoring of basic metrics such as general reachability (via icMP ping, for example), latency, and so forth. if youre monitoring servers hosted in the cloud, youll need to monitor the same basic health metrics that apply on-premise, such as cPu utilization, memory pressure, and storage performance. in the case of public cloud services where billing is based on cPu utilization, its even more important to track this data for accurate forecasting. aside from basic metrics, every service will require some customized monitoring. a simple web site or

Service Quality Monitoring

Some applications and services may be especially susceptible to service degradations, if the quality of the organizations internet connection is poor. an example of such a service is a cloud-based voice over internet Protocol (voiP) provider. voice traffic is susceptible to both latency and jitter. latency is the amount of time it takes for a network packet to travel from the source to the destination; jitter is the variability in latency. videoconferencing is another example of an application that is susceptible to degradation from latency and jitter. to ensure that applications such as voiP perform as expected, it is important to monitor these metrics and to configure network equipment to perform Quality

Sponsored by Scriptlogic

Monitoring anD Managing ServiceS in the clouD

of Service (QoS) traffic management for sensitive network traffic. When a service or application is moved to the cloud, the network traffic travels over the organizations internet connection. its important to plan for this because many applications require significant bandwidth either individually or at scale. if proper planning does not occur, then it is very possible that the deployment of the cloud service might overload the organizations internet connection. Some public and private cloud providers allow organizations to create virtual Private network (vPn) tunnels over the internet so that traffic to the cloud is encrypted and the path is controlled. vPn tunnels come with increased processing and management overhead, so the need to monitor connection quality is all the more important. one common example of an individual application that could cause the internet connection to be overloaded is video streaming. take, for example, a scenario where an organization moves the streaming of an internal event from an on-premises system to the cloud. each employee accessing the video stream would require internet bandwidth. on the other hand, some applications might not seem to be large consumers of internet bandwidth at first glance. email is one example that might come to mind where individual users are not likely to cause a substantial amount of internet bandwidth utilization, but a large number of users in one office collectively accessing email or another application could generate a measurable amount of internet bandwidth utilization. to make an informed decision about internet bandwidth utilization by a potential new cloud service or by connections to servers located in the cloud, its critical to have historical data showing average and peak utilization of the organizations internet connection(s). Based on this data, an informed decision can be made as to whether or not capacity must be added to accommodate the application. in addition to evaluating this data while considering the use of the cloud, its also critical to review trending data regularly (e.g., quarterly) to determine whether or not the organizations bandwidth utilization has grown organically to the point where additional capacity will be required.

Dynamic End-User Devices

over the past several years, organizations have faced an increasing trend of mobile devices that are often supplied by the end user with an expectation that the device will have access to information. this data might be available through a web-based interface or through an application written specifically for the device (e.g., an iPhone or iPad). the risk introduced by end users supplying their own devices can be significant, in addition to increased support costs. When company information is accessed via a device that isnt managed by the organizations it department, the ability to control the lifecycle of the data is greatly reduced. Mobile devices are inherently susceptible to data loss risk given they are easy to lose. these risks can be managed to a degree with basic security constraints and training for end users. in the case of end user training, it is important to communicate the varying degrees of impact that information might have. When users understand this, and data is labeled, they can make informed decisions about where to access documents and data, where to store copies of them, and so forth. For example, company policy may prohibit accessing high Business impact (hBi) information on a mobile device. in addition to the human side of the problem, there are technical solutions to managing these devices. Simple approaches such as requiring encryption of the device and a security Pin to unlock are a good first step. Some organizations may decide to deploy a management agent or tool on each device in order to maintain a greater degree of central control for both policy and application management purposes.

Service Provisioning

in order for end users to take advantage of any service or application, whether it is hosted onpremise or in the cloud, the user typically requires some degree of access to be provisioned in the application. in an on-premises application, this provisioning is often simply linking a users existing active Directory account to an identity in the application. For cloud-based applications, this might require a separate username and password

Monitoring anD Managing ServiceS in the clouD

Sponsored by Scriptlogic

to be provisioned for the user in the application, or complex identity federation to be configured. there are numerous ways to solve the user provisioning problem, but fundamentally they boil down to three approaches. the first approach is to provision separate user accounts in each cloud service and rely on the user to maintain separate usernames and passwords for each service. For organizations using a very limited number of cloud service providers or cloud-hosted servers, this may be a manageable approach, but support costs will certainly rise as the number of credentials a user has to maintain increases. in the case of applications running on servers hosted in a public or private cloud, it may be possible to establish a vPn tunnel such that the cloud servers are able to integrate directly with the organizations active Directory. if this is the case, users may simply be granted access to the server or application on the basis of a pre-existing active Directory account. this approach is not always possible depending on the architecture of the cloud offering. the third approach is to leverage identity federation. Federation enables users to access cloud applications using their on-premises credentials (i.e., from active Directory) using standard protocols via httP. With federation, when users attempt to access the cloud application, they are redirected to a federation web server in their organization. the federation server authenticates the users, and if they are successfully authenticated, they are redirected back to the cloud service. the application in the cloud receives information (claims) about the users during this process and can then allow the users access to the application as appropriate. in all three approaches, a process must be in place to provision and maintain user information in the cloud service. this process often takes the form of an identity management tool that is capable of synchronizing data to various systems from an authoritative source such as a human resources database. in some cases (i.e., without federation), it may be possible to synchronize passwords from an on-premises directory to the cloud service. however, this approach introduces risk when considering that user passwords that

control access to sensitive information are in the hands of a third party. in addition to provisioning users to the cloud service, it is important to consider how user access will be deprovisioned. Deprovisioning is especially important because many cloud services are priced on a per user basis. thus, if unnecessary user accounts exist in the service, costs will be higher. Deprovisioning may take two forms depending on the cloud service in question. in some cases deprovisioning may simply consist of removing a users access to the service when they are terminated. on the other hand, it may be necessary to manage permissions and roles inside the cloud service as the user changes jobs and responsibilities in the organization.

Auditing and Reporting

as data moves into the cloud, it will become even more important to be able to audit and report on who has access to that data, as well as any modifications to it. compliance requirements continue to grow and the burden of meeting them increases proportionally. as part of the process of evaluating a cloud service or application, decision makers must evaluate the impacts of the service offering on compliance and regulatory requirements. this evaluation may take the form of access to logging information from servers or security devices (e.g., virtual firewalls) in the cloud, or audit trail information from a cloud-based application or service. one example is that some organizations are moving extremely sensitive information (i.e., Personally identifiable information [Pii]) to cloud-based human resources and Payroll solutions. once the risk assessment has been performed, it will be important to plan how the data necessary for proper reporting and auditing will be collected and preserved. Some cloud services may only offer the ability to retrieve this data on-demand inside of the application, while other more complex public/ private cloud solutions may offer an interface for programmatically retrieving auditing information. once the information has been collected, it will need to be stored and made accessible for reporting. Some reports should be reviewed regularly, while others may only need to be retrieved as needed. an example of a report that should be

Sponsored by Scriptlogic

Monitoring anD Managing ServiceS in the clouD

reviewed regularly might include information about which users have elevated (e.g., administrative) access to a system. on the other hand, audit trail information for documents accessed might only be required annually to satisfy an audit. it is very important to many organizations to have the necessary tools and capabilities to track this type of data, as well as report on it.

direct access to a central authentication service such as active Directory. consequently, it becomes important to examine how authentication will be performed, as well as how user access will be managed. Finally, security requirements that have traditionally applied to on-premises applications are still applicable and even more critical than before with cloud-based servers and applications. the ability to access auditing data and create reports for monitoring, compliance, and audit purposes is crucial. as end users begin accessing data from mobile devices that are often not supplied by the company, understanding where data is accessed from as well as controlling how and where it is stored is extremely important. Brian Desmond is senior consultant with Moran technologies. he has been a Microsoft MvP for Directory Services since 2003 and is the author of active Directory, 4th edition from oreilly. Brian is an active Directory and exchange focused consultant leading and delivering on projects primarily for large enterprise (40K 500K seat) customers. his website can be found at www.briandesmond.com.

Assessing the Cloud

the promise of the cloud is winning the minds of many it decision makers, but to make a successful move to the cloud for servers and virtual machines or cloud-based services applications, a number of variables and risks need to be evaluated and then managed over time. these include core network infrastructure components such as bandwidth and latency, as well as security questions around mobile devices, user access management and authentication, and security auditing and reporting. network management is critical to ensuring that access to the cloud is delivered to the degree of speed and quality that end users are accustomed to when accessing on-premises applications. When servers and applications move to the cloud, there is frequently no longer a capability to maintain

Monitoring anD Managing ServiceS in the clouD

Sponsored by Scriptlogic